The TJX Cos., collected far too much consumer data for far too long and failed to upgrade its Wi-Fi security to the stronger WPA encryption protocol, according to the findings of a report issued Tuesday by Canadian privacy officials.
"The technology that TJX was using at the time was not up to the task and in fact the credit card industry has suggested that industries in its sector migrate to a higher level of encryption technology," said Jennifer Stoddart, the Privacy Commissioner of Canada in a press conference following the release of the report.
At the time of the breach, TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older security standard. Wi-Fi Protected Access (WPA) replaces the original WEP security standard. It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2.
TJX has acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The attackers began their assault on TJX by exploiting Wi-Fi weaknesses. The Canadian officials said Tuesday that the point of entry for the attackers was two Marshals stores in Miami.
TJX maintains that it acted within a reasonable amount of time and acted earlier than other retailers to enable Wi-Fi encryption. TJX started a WPA conversion project in October 2005 and completed it in mid-January 2007. The final conversion to a higher level of encryption will be completed soon, according to the report.
Investigators believe the thieves aimed a telescope-shaped antenna at the store and used a laptop, cracking the WEP encryption to snatch data transmitted between hand-held price-checking devices, cash registers and the store's computers. The exploit eventually led them into the central database of TJX, where they would repeatedly rob the system of sensitive customer data.
The Canadian report also recommends that the retailer institute a hashing system to avoid using driver license numbers to track fraudulent returns. TJX said it was collecting the data to track customers who returned items without a receipt. The hashing technique would transform the string of characters into a shorter fixed-length value or key that represents the original driver license number.
"When the technology exists to protect data, we expect companies to move quickly to adopt that technology," said Frank Work, the Information and Privacy Commissioner of Alberta.
The Canadian officials said the report is intended to guide other merchants to enable proper security protocols and technologies. They said merchants should be proactive in meeting the Payment Card Industry Data Security Standards (PCI-DSS), but acknowledged that medium and smaller businesses don't have the resources to adopt the latest security technologies. Finally, the privacy officials also said that consumers need to ultimately keep a tighter grip on their personal information.
"We're not interested in beating up on TJX," Work said. "They got burned but so did a lot of other institutions and a lot of customers also got burned. The criminals are good and we just have to be better."
The Canadian report was issued within days of a tentative settlement reached by TJX in a class-action lawsuit with customers who were victims of the breach. TJX is offering affected customers three years of credit monitoring services and identity theft insurance, according to a public statement released by company president and CEO Carol Meyrowitz.